Heartbleed OpenSSL vulnerability: A technical remediation

OpenSSL released an bug advisory about a 64kb memory leak patch in their library. The bug has been assigned CVE-2014-0160 TLS heartbeat read overrun.

According to OpenSSL, the heartbeat extension was introduced in March 2012 with the release of version 1.0.1 of OpenSSL. This implies that the vulnerability has been around for just over 2 years. This is a very serious vulnerability that will allow protected information to be stolen even with the use of SSL/TLS encryption.

Since the announcement, there has been buzz around the underground and malicious actors have been actively leaking software library data and using one of the several provided PoC code to attack the massive amount of services available on the internet.

Only versions 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. The targets are mostly port 443. With this, an attacker is able to leak previously allocated data. This can and does include plaintext credentials, session cookies, private keys (to arbitrarily decrypt SSL/TLS communication), and more. OpenSSH does not seem to be susceptible to the vulnerability as OpenSSL is used for key generation, but not communication.

Heartbleed.com mentions a web based tool and a couple of scripts for testing to see if you are vulnerable to this latest exploit:

This allows us to spam the PoC for recently allocated data and use ngrep to grab the field in which passwords are being sent across. Using these two commands, we have been able to grab a large amount of passwords given over https as plaintext. As you can see, this breaks a large variety of web applications which include online emails (yahoo), banks, and a large variety of other targets.

One of the more complicated issues is that the OpenSSL patches were not in-line with the upstream of large Linux flavors. Meaning there was a large time-window between the OpenSSL’s patch and when various flavors of Linux can provide the patch to its users base. OpenSSL.org has provided an updated version of OpenSSL (1.0.1g) here. Once you have updated to the most recent version you must then regenerate your private key(s) and SSL certificate(s). We would also recommend resetting all passwords for usernames that were used during the timeframe that you were vulnerable.

We have had a opportunity to review the behavior of the exploit and have come up with the following IDS signatures to be deployed for detection.